Fact sheet for councils: the use of 


personal email addresses and devices 


This factsheet has been produced following a series of workshops 
and discussions with local councils across the UK and will be of 
interest to parish council clerks looking for steps they can take to 
improve their council’s data protection compliance. 


The majority of parish clerks attending the Society of Local Council Clerks (SLCC) 
Leadership in Action Conference 2019 ranked the use of personal email addresses 
and devices for council business as their top data protection concern. 


The UK General Data Protection Regulation (GDPR) and the Data Protection Act 
2018 (DPA) don’t say which email systems or devices should be used. But if the 
use of personal email addresses and devices is something your council does, you 
should be aware of the risks and the council's data protection obligations and 
responsibilities. 


Fact: Councils must ensure the confidentiality, 

integrity and availability of all personal data 

they hold, even if the data is being processed 

through personal email accounts or is stored on 
Zz 


a privately-owned device. 


As a data controller, a council has obligations relating to the confidentiality, 
integrity and availability of all personal data it holds. This means that the council is 
accountable for any council business conducted involving personal data on any 
device or through any email account. 


The use of personal devices and email accounts could raise the risk that personal 
data is processed for different purposes from which it was originally collected. All 
members of the council should ensure they know their responsibilities in terms of 
only using personal data for the purposes which the council obtained it. 
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If copies of data (such as email attachments) are stored on many different devices, 
there’s an increased risk that it’ll become out-of-date or inaccurate over time. 
There’s also an increased risk that it'll be retained for longer than necessary, 
because it’s difficult to keep track of copies. 


You may also find it difficult to respond on time to a subject access request if you 
have to search multiple devices or if you aren’t aware of all the devices on which 
personal data may be stored. 


Questions to ask: 


e What types of devices are in use? 


e Who else uses the personal email account or privately-owned device, and 
who else has access? 


e How can you control the data on the personal email account or privately- 
owned device (eg accuracy and retention)? 


e How much consideration has been given to the data on the device being 
overlooked? 


Fact: Councils must process personal data 
securely — which may be more difficult to 
achieve if it’s being processed through 
personal email accounts or is stored on 
privately-owned devices. 


Councils must have ‘appropriate technical and organisational measures’ in place to 
prevent the personal data it holds being accidentally or deliberately compromised. 

This includes physical and organisational security measures and also cybersecurity. 
If data is shared around multiple devices this introduces more points of failure and 
vulnerability. 


There’s no ‘one size fits all’ solution to information security. The UK GDPR doesn’t 
define the security measures that you should have in place. It requires you to have 
a level of security that is ‘appropriate’ to the risks presented by your processing. 
What’s appropriate for your council will depend on your own circumstances, the 
information you're processing, and the risks it presents. 


As the data controller, the council must ensure that all processing of personal data 
under its control remains compliant, regardless of the ownership of the device used 
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to carry out the processing. If there’s a personal data breach, you must be able to 
demonstrate that you’ve secured, controlled or deleted all personal data on a 
particular device. 


Questions to ask: 


e How secure are the devices (eg is the device password-protected and what is 
the risk of malware)? 


e What if the device is lost or stolen - can you remotely locate it and wipe the 
data? 


e What operating system is the privately-owned device running? 


e How is data transferred to other devices, and how secure are these systems 
and/or devices? 


e Is your council using or considering cloud storage? 


Fact: Councils must demonstrate that they 
are UK GDPR-compliant, and the use of 
personal email accounts and privately- 
owned devices may make this more 
complicated. 


The principle of accountability requires you to be able to demonstrate that you are 
complying with the UK GDPR, and have appropriate policies and processes in place. 
If personal devices or email accounts are being used, you should have an effective 
organisational policy in place to ensure that the associated risks are managed. 


You'll also need to take steps to make sure your members are aware of the policy 
and that it is implemented. This could include training, monitoring and audits. 


Questions to ask: 


e If you’re using personal email addresses and/or devices to process data for 
council business, do you have an acceptable use policy in place to manage 
this? 


e Have you implemented appropriate security measures as outlined above? 
e Have you documented the associated risks and subsequent decisions? 
e Does your council need to review/update its current approach? 
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More information 


For more information about the accountability principle with the UK GDPR, visit 
ico.org.uk and search ‘accountability principle’. 


The challenges of using a personal email system or device are set out in more 


detail in the ICO’s Bring your own device (BYOD) guidance - visit ico.org.uk and 


search ‘BYOD’. 
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